Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Security Issue with Data::Dumper as a persistence mechanism

by gellyfish (Monsignor)
on Feb 08, 2002 at 16:32 UTC ( [id://144131]=note: print w/replies, xml ) Need Help??


in reply to Re: Data::Dumper in a nutshell?
in thread Data::Dumper in a nutshell?

you just do the file (or you eval the result of the database query), and your second program can use the value computed by the first program.

... or discover that some black hat has replaced your file with one containing system('rm -rf /')

Data::Dumper is not a good method of doing persistence, because of the need to evaluate the stored file as actual Perl code using do or eval your code is only as secure as your file storage.

If you must have a Human Readable persistent storage then you probaby want to look at Data::DumpXML or Data::Denter

with the former you might want to consider my talk from last years yapc::Europe about a security implication of deserializing Perl objects into your code.

/J\

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://144131]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others lurking in the Monastery: (3)
As of 2024-04-25 12:51 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found